Malware Analysis Report

2024-10-19 08:41

Sample ID 240421-bdc11seg22
Target 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
SHA256 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d

Threat Level: Known bad

The file 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar family

Detects executables containing common artifacts observed in infostealers

Quasar RAT

Detects Windows executables referencing non-Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing common artifacts observed in infostealers

Detects Windows executables referencing non-Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-21 01:01

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 01:01

Reported

2024-04-21 01:03

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1664 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1664 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1664 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1664 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1664 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1664 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1664 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1664 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1752 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2392 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2392 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2392 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2392 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2392 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2392 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2392 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2392 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 520 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 520 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 520 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1164 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1164 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1164 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1164 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1164 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1164 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1164 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1164 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1160 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2464 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2464 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2464 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2464 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2464 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2464 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2464 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2464 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2752 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2080 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2080 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2080 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2080 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2080 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2052 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcu9hM6fwUmg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2hX7YoXAiZtn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xC4qmhW8BKM9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lDxNTViNea5x.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\05h3WIkJ3JWL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoM3mH8QPiCm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vBjIcygJHTap.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5NOMARytxZyT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3wvPcY20s03U.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fc1GE2bZ1Cr4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYNF9gfitPQ5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\c6nVYq2JAFej.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EPRRIO65ntoo.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp

Files

memory/1928-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp

memory/1928-1-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1928-2-0x0000000000420000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hcu9hM6fwUmg.bat

MD5 29e9a6fdad894c88b423a3d70707e6b4
SHA1 df57c7ce65bb1f2be34b6507dcf8fbbbdee19db0
SHA256 19e8521bce329ffa467ae0ab29ca8d5a2d227ff4af79e6f8aeff3835a5fdee25
SHA512 134c80deebc99b7f26f3bba67fb53575aca62075f00b302949605a08f7a6ecd0eeeaa8ced921be0e838abbfaf9c97e1d57490f0b34b158a4bdd66e1bec00d959

memory/1928-12-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1752-14-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/1752-13-0x00000000010C0000-0x00000000013E4000-memory.dmp

memory/1752-15-0x000000001B2A0000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2hX7YoXAiZtn.bat

MD5 1019e84cb679410d60d364aa68a7c444
SHA1 6271297c71980f5f87910a1e943b48ff9e3f5bba
SHA256 d6caa377b09b76b2474190137f29c89e262f7a8ef78eeb92341cdb617a75ee34
SHA512 b6dbdc75ca844661262c8744235b67f254c4c8e00441224f2b30fdca61e426bf6e0a71236c5a9aa23d17c13b29a6ec596b506b9a7745f2a9357bc0acc9ecf36f

memory/1752-25-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/520-26-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xC4qmhW8BKM9.bat

MD5 fb18e3783c6a5dd53c95881f46ada07c
SHA1 4f5d356d9bcdf87336652d660d94c1fdf34cede7
SHA256 89a15234b4c1bc820b3144c881d2f3b140dc758f9a0ed1ff48b2a939beb08585
SHA512 12cebc52e958703a3e74047bf592726d7e7e52fd33adc12e67324ef564efe8ba0e040e10c0f1a772a8b9ca0ce2fe2fd9e8b07e63ac217c9217bb47aee9df6c6d

memory/520-36-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1160-37-0x0000000000300000-0x0000000000624000-memory.dmp

memory/1160-38-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/1160-39-0x00000000025D0000-0x0000000002650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lDxNTViNea5x.bat

MD5 8304391c94d2146dea826f3cd04b4907
SHA1 c16a5862f46322011b46ccb7e111c9a906150fda
SHA256 e0d6b4942dd8fbc42587a4aa4924f4f0e9aef48d49142c193b0d09c8ee71fd64
SHA512 9efb293d8bfe07d063805084a44b3441e1dc19b5994e7baea1e8899bbb2b446de328761bcafa07d6c59b367cf0920304cf252920bc429e5f026c612325e8415f

memory/1160-49-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2752-50-0x0000000000010000-0x0000000000334000-memory.dmp

memory/2752-51-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2752-52-0x000000001B2A0000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\05h3WIkJ3JWL.bat

MD5 b7d022da4052719ebc25ec97b38bc120
SHA1 46fa0637e1405599d989df63fb92cc7ace19b3d9
SHA256 6515ccd60a2652059f5ffde3f5f280f19355a36456df5959c12b077e2f864e62
SHA512 109d56cb0c11460748c5578f0aa914aafcd082241597363f8784ad1f3ee2d6428ad7630d069f780cce6e6c0ba54b06b803fe6553cdeaa17d742bf85bbb7af5ad

memory/2752-62-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2052-63-0x0000000000F90000-0x00000000012B4000-memory.dmp

memory/2052-64-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2052-65-0x000000001B550000-0x000000001B5D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QoM3mH8QPiCm.bat

MD5 394799fde98fd2b30076d34967b2c1f8
SHA1 ded9ec3132b45bd19d50963a45b37281f065a8f5
SHA256 d2a4811632ba4b10424834437113255e525fb130fad0bd220a8ae97e26c7c8d1
SHA512 f26db0f5c0509b7fa0ec5c8acabebb052d60c718a7083c5d173bb52b4e7564e339b0efa54c0932e0e0f3bacd8ec9c0cafbf0eb0e6405d188f8f09c5868c3e2fa

memory/2052-75-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2032-76-0x00000000012A0000-0x00000000015C4000-memory.dmp

memory/2032-77-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2032-78-0x000000001B000000-0x000000001B080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vBjIcygJHTap.bat

MD5 c71037d0bc69ec703c221da34ffc9ded
SHA1 c60155200e3363369825fb71ad0af880b106ab8c
SHA256 d799e596f802828f53bd8782602c918c8bb1f98d045f29a41bc7cdce0d595b92
SHA512 95d66ba91f25bbd7cb3d663053e247818347c8d0b2fb2fce854217c8308ad58bc5752da547332bfc3d005e09a61abf36926d6bdb55f0b2334e990e4abccaa84b

memory/2032-88-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2340-90-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2340-89-0x0000000000040000-0x0000000000364000-memory.dmp

memory/2340-91-0x000000001AA50000-0x000000001AAD0000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\5NOMARytxZyT.bat

MD5 3a445552121e356b6417a8dfdac924b3
SHA1 59718b2d1995a3cd148fa180568c65da668797e1
SHA256 4336e9fd1f467f2b255e53282e63153c12dc6a51397ccb669283c33ac4822ce3
SHA512 927acd1c5e96ba90bf27fc16fddb27f265448b671a1006061cb131482fb2c5e0107c0a7b94e64a41bfeb527417b00d84cb1439f01b6056dfa3646600a2b6deca

memory/2340-101-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/1720-102-0x0000000000230000-0x0000000000554000-memory.dmp

memory/1720-103-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1720-104-0x000000001B270000-0x000000001B2F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3wvPcY20s03U.bat

MD5 9bca9428f0205524bf6ec6e432a57aee
SHA1 df9c9ab41a0f3bc1031d36c52c251e98e39f6127
SHA256 228a34234193587aae5446e6931e2bd353b5d257ed95a09283384d3ee7d829b2
SHA512 801c8f98c4bafc181407bc08c4e1446400c76c1931c6e0a9c5d003e302574bdd3db4120cc0d4846bc9bced002dc712bf07336bf1513532e29996d125ca1df8a1

memory/2688-114-0x0000000000DC0000-0x00000000010E4000-memory.dmp

memory/2688-115-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2688-116-0x0000000002600000-0x0000000002680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fc1GE2bZ1Cr4.bat

MD5 c022916344d079d14191fca07654feeb
SHA1 5c76bf7ae0c583f4d33c96ba90d882753a583971
SHA256 0f886fe5789b43a882127a11d3d808084236272cedad2c9674ebdfdedbbb689b
SHA512 57adf2150feef58e67ef5f270885acf33721a66e38a6bb6d0f16598942be0e0fc4dbb350597697faa9d0451bce39cb93cc0a9b03c75200c8c4329ac98767b55a

memory/2688-126-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/1720-127-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1496-128-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lYNF9gfitPQ5.bat

MD5 29a148d140ea905ba5e4e4f81348ab25
SHA1 c4937d89c71e8aa41e8e0e6de3a7db1d683b4d18
SHA256 ede7cd9af4e2d5882bf4dc7b4ce463af5604c507e64c02d5c100699cebb0359d
SHA512 e36ab9dbeaa034031622c5b6350c936249f560e47ca4565b14790698deec4a940a6c53b1397b94da5e0df53d7cbf11858992431d1af5ae2ba692c46174a7ffee

memory/1496-138-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2432-139-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2432-140-0x000000001B0E0000-0x000000001B160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6nVYq2JAFej.bat

MD5 c6fee6af024cf8b19d13371cde0489c2
SHA1 9e47089efc056230caa24bbe03e0feeec97c5193
SHA256 859996a44869025ca8aad327dbcb96a01b930dec5b486edca9940f44341d1f9f
SHA512 e4da56b7a534d06b427765abd937b93573daa13c8f831f8df7ed72a840dc7c8827a7a702251b2676f87990d30bc4dfb22c2093c33438b97b21461db775519dc4

memory/2432-150-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2684-151-0x00000000012C0000-0x00000000015E4000-memory.dmp

memory/2684-152-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EPRRIO65ntoo.bat

MD5 2bd52235f0fa633d2a24ea74f32f0598
SHA1 aeb68984499f3ad9276e6098e27a535ec62e7677
SHA256 5ba6913677db71eebc384679a1f8c423a3c6d4eea43893d9007962dfd45dd73a
SHA512 40186c23c1f2297f2ac4f906f8295916646cb75fdf07f8514274b4ba6af80a35f7c74f97832d4a215ab215ccd19ad2f9d896393d3563792450889f4f0d44cf6f

memory/2684-162-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2948-163-0x0000000000370000-0x0000000000694000-memory.dmp

memory/2948-164-0x000007FEF4920000-0x000007FEF530C000-memory.dmp

memory/2948-165-0x000000001B1B0000-0x000000001B230000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 01:01

Reported

2024-04-21 01:03

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4948 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4948 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4948 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4948 wrote to memory of 5724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4948 wrote to memory of 5724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 5724 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 5724 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 5396 wrote to memory of 5388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5396 wrote to memory of 5388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5396 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5396 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5396 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 5396 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2992 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3620 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3620 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3620 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3620 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3620 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3620 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 5304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1424 wrote to memory of 5304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1424 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1424 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1424 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1424 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2648 wrote to memory of 5448 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 5448 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 5448 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5448 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5448 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5448 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5448 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 5448 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4140 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4140 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2196 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2196 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2196 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2196 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2196 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2824 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4364 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4364 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4364 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4364 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4364 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 376 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 376 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4164 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4164 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4164 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4164 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4164 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B6Qr5xuri0MQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WBNKSc7YqxHZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IU7MkvoWPN89.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ic6o0TEDzaul.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lm3U0aHl8yDh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsBSjKzGd8h0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gz7FjJS4VDK1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWxLMRP0ArFF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dPt59TNSZPlX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiWcxPYLgnLk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmsDsSdswnyt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEPfOObRDCbt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fXB9HtgbAFEM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A66tV2t88DhR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeCdS39Mnr0S.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp

Files

memory/2364-0-0x0000000000200000-0x0000000000524000-memory.dmp

memory/2364-1-0x00007FF9DDC60000-0x00007FF9DE721000-memory.dmp

memory/2364-2-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

memory/2364-3-0x00000000027C0000-0x0000000002810000-memory.dmp

memory/2364-4-0x000000001B9D0000-0x000000001BA82000-memory.dmp

memory/2364-9-0x00007FF9DDC60000-0x00007FF9DE721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6Qr5xuri0MQ.bat

MD5 5ab0024c270038f4b11594e0eec74a43
SHA1 0e74f8c7a3ed0ad4bd51b622a4f25b343fe9e4ce
SHA256 bae6fd348097162693021f5f37c924c4502ecb298766959c1b68962290ca82dd
SHA512 60f4af975becfd91c733f8b10c008a450946efc50ed6b664af5ae5e9593c0c56ba8bc6393087125365a24d70d5630c9a90ce283b32a9bd31cf71e4c3c1c782a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/5724-12-0x00007FF9DCC20000-0x00007FF9DD6E1000-memory.dmp

memory/5724-13-0x000000001BA20000-0x000000001BA30000-memory.dmp

memory/5724-17-0x00007FF9DCC20000-0x00007FF9DD6E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WBNKSc7YqxHZ.bat

MD5 159c38ee85d7bfb5368b271cdd4d37d7
SHA1 6b95bb982b9676c40ab24b9293b31480a1ff2dfc
SHA256 34332ecac8377798168d135b0e195668d26b3fed345333704162d54d65ac2189
SHA512 05f2b1e14e065d47da55a977ba163d2eee6565b8b9d4223677832bd40cbac829f8f7076283474ade9ba4ff9ca5fe582941958ba44f5cf5292e0e818b326eb5a7

memory/2992-19-0x00007FF9DC6F0000-0x00007FF9DD1B1000-memory.dmp

memory/2992-23-0x00007FF9DC6F0000-0x00007FF9DD1B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IU7MkvoWPN89.bat

MD5 0b8fd3e33695e016100d6162b110ee9b
SHA1 c1cd98063ab53c291aad4f4eee810045c18f8abf
SHA256 25381ba5bdfa3bf1f3924150a8412af43ff7b9735255b3c779b143aac0583337
SHA512 178e33379a3242e09ac14dfc19525235e70e5dac3cd1e7ee9c079ee8e328810b287e1331946bf11131f73bf6bf90c0a449f4e9fb8f2e65f3680d95ca25de6f5c

memory/4268-25-0x00007FF9DC680000-0x00007FF9DD141000-memory.dmp

memory/4268-29-0x00007FF9DC680000-0x00007FF9DD141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ic6o0TEDzaul.bat

MD5 8b34af3b125450f32183f3a6fb8c8bc5
SHA1 348a3f990d8c82e587016e32f659e87ab8fcd1c6
SHA256 02d9a20932cc52c1dac0fc077ef2d6a10ac593dfc0c44d8b6b2804d42de179d1
SHA512 00f2bb08eb736a9ff6d5feeec551109768e2d555ae0fcb2c138d90bb8f6b8953b252d9bf11cd93905ff96e86eb9f7054cc06889d4047159561ed2d41a648bafb

memory/2648-31-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

memory/2648-35-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lm3U0aHl8yDh.bat

MD5 04bc50d9a5e09aa08d51c362caf30bdc
SHA1 e1ad769ca24e64445495af8f67a09c74c007f132
SHA256 5afc3b5c86f115768ed86795563b647480be89fd2c83a4b74a77e45091a313e7
SHA512 37c17e69b2f2d25926e8cadb57a1c2724fab1cd32e08709dd39588ea36f6921039883011c3fb2076b991f8e3ce606b786d0a1f3045b56bad9634abc40cbab7e5

memory/4140-37-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsBSjKzGd8h0.bat

MD5 3de21e95b0e9586eecfae2c92204516c
SHA1 deb6f830795c2ea29d52918a27a4a79e2cdef247
SHA256 2c0f91920f1694e28e697e6a169963bffe288dba305a7d7d35efcc45b79345a6
SHA512 e4afa5755007df7527f24bfd1f5f05901b1a1231bce10280d364ac23c2a38dcb6c5bf4f35b6f36ce80ae945608947c5029738f647ea39bed4501200547a356b5

memory/4140-42-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

memory/2824-43-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

memory/2824-47-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gz7FjJS4VDK1.bat

MD5 d9d83cec1c3a8129d4807c7bc28ef3e8
SHA1 0fe55b9ce659f700381a2009bfaf4cafffc6b7a9
SHA256 07d08e5a8abc3e73148d57a3fe8b0a52d905de3edd897111770979a1c1e5800d
SHA512 ca5e33b0ea20bee6e9caad50d655b0a867e78097abdfab1b4f4e8e319b18f64fbf1fd3e1005dd32f929947edb775a96cf28ca14447285b7f627d9047de71c5a2

memory/376-49-0x00007FF9DBEF0000-0x00007FF9DC9B1000-memory.dmp

memory/376-53-0x00007FF9DBEF0000-0x00007FF9DC9B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iWxLMRP0ArFF.bat

MD5 44fa127b70a18c826ae5aebe32b619c2
SHA1 71a260b41d2398a28dd7d6277e292d2425cbba9f
SHA256 2e408e5c450fc51a5041511b0fd155df9b5ab9b96216079e785d230bc593036a
SHA512 d44f1faa5238ecc18c018968845ba175a71aa72f7982621e679a30beb51982c0a88fe5c0ec09ead6243ba2de942d153be13e51602648153cb7d7b97ef1724c9d

memory/2400-55-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dPt59TNSZPlX.bat

MD5 5f94421aa7db953fe2d3715f75382126
SHA1 6ec97f04840a7dac41408062f21e9e8d4fe26954
SHA256 d1c0884b89581428d11ffa865a472447a88237b24da782af3ff722d9ca0d80d4
SHA512 f6a469728a57fd7bf8510c5e9b4b5972ea7b96f92203d54df028750740fa67a0de7102becfeb99c38301f34f715cd7a5f70eeed398b62da91014f68ae55f5e48

memory/2400-60-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

memory/1384-61-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

memory/1384-65-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FiWcxPYLgnLk.bat

MD5 2a2663761c7cc9e5136be4dc64f691e3
SHA1 f5f94ce067bb40bea6ef091f74c60b1e64d7ddec
SHA256 37c79fa5882995298adad9cfc8f0bb9480e49aa17ed98f4ea26bfc5bb3e4fea2
SHA512 6d68e3506cf2d4f5635cf9603944b57528cc5e80e2a69b74e3c0315e857883c291e38111bf66f3c3dabd567ff65b1182d4c998eca660c727c37a4295cb8fa972

memory/8-67-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

memory/8-71-0x00007FF9DC160000-0x00007FF9DCC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hmsDsSdswnyt.bat

MD5 05a3e226b08fbe7f98370fbabe248d6a
SHA1 fb2496156f114e362aba1fb8104b4fca2e1ff727
SHA256 c9e7ec7ccc3f8aefab58d15cc01e3b0ad9e1846d466daf3afb08ae0d039903f1
SHA512 082846e4ec628de35bac23282425ea61889d3ee33ed3f231f224690023a42f89cb0e332ac282ba72fa3686587f04f6c93b6a78d4c856fb7e6147d9a849625200

memory/5792-73-0x00007FF9DBB30000-0x00007FF9DC5F1000-memory.dmp

memory/5792-77-0x00007FF9DBB30000-0x00007FF9DC5F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QEPfOObRDCbt.bat

MD5 a1b54ca8d0a3151b6b8476c97ae618db
SHA1 59ba3a7244b1c5b86fa43ccc9d3fdd0e5ab173b7
SHA256 09de529a155a7a9fb693ec4f67a1b2a8827a9a0163eff31a8f339de3eb5ecc2a
SHA512 075bc688d8c9048f884deb8e8e4572a57bc4232aa25c62ed5256162f1b37b71f7a04548c0300e6640db335d15a123ec0587a9f48344b19fb1261a7148d546c3d

memory/2536-79-0x00007FF9DBBE0000-0x00007FF9DC6A1000-memory.dmp

memory/2536-83-0x00007FF9DBBE0000-0x00007FF9DC6A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fXB9HtgbAFEM.bat

MD5 39b8c5a7ac2b233e948b6f19f3a8c2c8
SHA1 a8fff5103488d56d8e035c49831fd30b4db82a24
SHA256 27812be4f42c4d5f7c1e62f52ca80d50c26a856b08bec3e6eff026b451dfcca2
SHA512 37a0c516951b92b32a232454ea8e35209957966c2e965cd33090f83d50c2315c4ea76839e6ed2e0c055b9b72dcddae89c9406910a411647bfa8cd93e7598c74a

memory/5724-85-0x00007FF9DBBE0000-0x00007FF9DC6A1000-memory.dmp

memory/5724-89-0x00007FF9DBBE0000-0x00007FF9DC6A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A66tV2t88DhR.bat

MD5 67ab5fe211fbce2285b26980c71b6381
SHA1 37788f8a1fa045266533973f66f68e0289b71b3d
SHA256 49b2df6a0f3a9929999be2362abfc24f0c530f6a7c8f99d23ab47bc1fd939819
SHA512 39f14b89acc10a33576577df5e7aa1fc9f1a763cba5c1c43b063cb201969f00dd278f59814a1183faed56ddc4bfca484082f90ee9f51845917121fd007d81559

memory/1476-91-0x00007FF9DBBE0000-0x00007FF9DC6A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PeCdS39Mnr0S.bat

MD5 aa75a9b672331c0b9b3dc6260931106d
SHA1 9c0a770fe591cc67605185b15e0f9ddaa035e0bd
SHA256 d88c30a15c6db41bc7cc6025e5f06c4602df348e99343a4f243365928b55f378
SHA512 693da3f3d3ce676ff2a707ee6f2f09caacfa906a2b7742485ba928de1841c241b62ccc2c5002985d2aade6b57b6ed60dc84438f9111e1b96c473b6f3b5eb25db

memory/1476-96-0x00007FF9DBBE0000-0x00007FF9DC6A1000-memory.dmp